ZENworks 11 SP4 Full Disk Encryption Deployment on Standard Drives

With standard hard disks, ZENworks Full Disk Encryption provides sector-based encryption of the entire disk or selected volumes (partitions). All files on a volume are encrypted, including any temporary files, swap files, or operating system files. Because all files are encrypted, the data cannot be accessed when booting the computer from external media such as a CD-ROM, floppy disk, or USB drive. You can choose the industry-standard encryption algorithm (AES, Blowfish, DES, or DESX) and key length that best meets your organizations requirements.

As an added layer of security, ZENworks Full Disk Encryption provides optional pre-boot authentication. With pre-boot authentication, the device boots to a Linux partition and loads the ZENworks Pre-Boot Authentication (PBA) module. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.

WARNING:When applying a full disk encryption policy, ensure that the encryption process is not interrupted prematurely with a power change on the disk drive(s); otherwise, all data on the disk can be lost due to disk corruption. You can check the encryption status on the device by accessing Full Disk Encryption > About in the ZENworks Adaptive Agent.

Disk corruption due to power change has only been noted on secondary drives, but it may also be applicable to primary drives. For this reason, the following precautions are strongly recommended before applying a full disk encryption policy to a device:

If possible, select the AES algorithm when configuring the full disk encryption policy.

Selecting the AES algorithm should preclude disk corruption from occurring in the event of a power-down during encryption. However, the additional precautions are best practices that will reduce the risk of possible disk corruption.

Pre-configure devices receiving the policy so that power options are set to never automatically shut off, hibernate, or sleep.

Inform all device users of the need to keep their devices running during the encryption process, to include avoiding Sleep and Hibernation options.

Task

Details

Make sure the hard drive meets the requirements for full disk encryption.

Check that ZENworks Full Disk Encryption is enabled by double-clicking the ZENworks icon in the notification area of the device to display the ZENworks Adaptive Agent properties. If Full Disk Encryption is displayed in the left navigation pane, ZENworks Full Disk Encryption is enabled on the device. For help enabling ZENworks Full Disk Encryption, see Configuring Agent Settings on the Device Level in the ZENworks 11 SP4 Adaptive Agent Reference.

Create the Disk Encryption policy to apply to the device.

The Disk Encryption policy contains the encryption and pre-boot authentication settings to apply to the device.

On the device, double-click the ZENworks icon, then click Full Disk Encryption. In the Full Disk Encryption Agent Actions section, click About to display the About dialog box. The Status field displays the current encryption status. When initial encryption is complete, the status will be Policy enforced, with drive encrypted.

Legal Notices

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.

Third-Party Material

All third-party trademarks are the property of their respective owners.